South Carolina has become the first state to enact a version of the Insurance Data Security Model Law,
drafted by the National Association of Insurance Commissioners (“NAIC”) in 2017. The South Carolina Insurance Data Security Act became effective on January 01, 2019.
To Whom Does the Act Apply?
The Act applies to all licensees of the South Carolina Department of lnsurance. The law expressly excludes out of state purchasing groups or risk retention groups, out of state licensees who are only acting as an assuming reinsurer or licensees with fewer than ten employees.
Is Cyber Risk Management a Board of Directors Issue?
Yes, the South Carolina Data Security Model Law states that the licensee’s board of directors or a designated executive management committee must develop, implement, and maintain a written information security program (“WISP”).
What are the Requirements of the South Carolina Insurance Data Security Act?
Licensees have until July 01, 2019 to implement a WISP designed to promptly respond to, and recover from, a cybersecurity incident. The WISP must be commensurate with the size and complexity of the licensee and the nature and scope of the licensee’s activities along with its third-party service providers.
The WISP must include a written incident response plan designed to promptly respond to, and recover from, a cybersecurity event.
Lastly, the licensee must implement and maintain an employee security awareness training program.
What about Third-Party Service Providers?
By July 1, 2020, all licensees must have assessed their third-party service providers to ensure that data security best practices are in place.
Call to Action:
While South Carolina was the first state to enact the NAIC Data Security Model Law, other states are soon to follow. South Carolina insurance licensees are required to certify compliance on an annual basis with the South Carolina Insurance Data Security Act with the Department of Insurance. Cyber Special Ops, LLC is here to offer its expertise, experience and agility to help you address these data security requirements.